Last active
October 23, 2019 18:43
-
-
Save wsargent/11023607 to your computer and use it in GitHub Desktop.
Revisions
-
wsargent revised this gist
Apr 18, 2014 . 1 changed file with 26 additions and 8 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,9 +1,7 @@ #!/bin/bash export PW=`pwgen -Bs 10 1` echo "$PW" > password # Create a self signed certificate & private key to create a root certificate authority. @@ -48,22 +46,42 @@ keytool -gencert -v \ -ext EKU="clientAuth" \ -rfc # Export the client-ca certificate from the keystore. This goes to nginx under "ssl_client_certificate" # and is presented in the CertificateRequest. keytool -export -v \ -alias clientCA \ -file clientca.crt \ -storepass:env PW \ -keystore client.jks \ -rfc # Import the signed certificate back into client.jks. This is important, as JSSE won't send a client # certificate if it can't find one signed by the client-ca presented in the CertificateRequest. keytool -import -v \ -alias client \ -file client.crt \ -keystore client.jks \ -storetype JKS \ -storepass:env PW # Export the client CA to pkcs12, so it's safe. keytool -importkeystore -v \ -srcalias clientCA \ -srckeystore client.jks \ -srcstorepass:env PW \ -destkeystore clientca.p12 \ -deststorepass:env PW \ -deststoretype PKCS12 # Then, strip out the client CA from client.jks. keytool -delete -v \ -alias clientCA \ -storepass:env PW \ -keystore client.jks # List out the contents of client.jks just to confirm it. keytool -list -v \ -keystore client.jks \ -storepass:env PW echo "PW = $PW" -
Apr 18, 2014 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,69 @@ #!/bin/bash -x # brew install pwgen if you're on a Mac. export PW=`pwgen -Bs 10 1` echo "PW = $PW" echo "$PW" > password # Create a self signed certificate & private key to create a root certificate authority. keytool -genkeypair -v \ -alias clientCA \ -keystore client.jks \ -dname "CN=clientCA, OU=Example Org, O=Example Company, L=San Francisco, ST=California, C=US" \ -keypass:env PW \ -storepass:env PW \ -keyalg RSA \ -keysize 2048 \ -ext KeyUsage="keyCertSign" \ -ext BasicConstraints="ca:true" \ -validity 365 # Create another key pair that will act as the client. We want this signed by the client CA. keytool -genkeypair -v \ -alias client \ -keystore client.jks \ -dname "CN=client, OU=Example Org, O=Example Company, L=San Francisco, ST=California, C=US" \ -keypass:env PW \ -storepass:env PW \ -keyalg RSA \ -keysize 2048 # Create a certificate signing request from the client certificate. keytool -certreq -v \ -alias client \ -keypass:env PW \ -storepass:env PW \ -keystore client.jks \ -file client.crq # Make clientCA create a certificate chain saying that client is signed by clientCA. keytool -gencert -v \ -alias clientCA \ -keypass:env PW \ -storepass:env PW \ -keystore client.jks \ -infile client.crq \ -outfile client.crt \ -ext EKU="clientAuth" \ -rfc # Export the client-ca certificate from the keystore. This goes to nginx under "ssl_client_certificate" and is presented in the # CertificateRequest. keytool -export -v \ -alias clientCA \ -file clientca.crt \ -storepass:env PW \ -keystore client.jks \ -rfc # Import the signed certificate back into client.jks. This is important, as JSSE won't send a client certificate if it can't find # one signed by the client-ca presented in the CertificateRequest. keytool -import -v \ -alias client \ -file client.crt \ -keystore client.jks \ -storetype JKS \ -storepass:env PW # Then, strip out the CA's private key from client.jks (not shown) and move client.jks to your key manager.